Black Friday

WhatsApp Tracks Metadata (+ other security issues)

Douglas Crawford

Douglas Crawford

April 7, 2016

Facebook-owned message app WhatsApp has announced that all communications across all platforms are now fully protected by end-to-end encryption.

From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats.”

It is a move that is rightly being widely hailed as a major victory for privacy.

The good

This means that even WhatsApp (and parent company Facebook) cannot access any of the communications sent by its users, as data is encrypted and decrypted solely on users’ phones, and WhatsApp does not hold the crypto-keys.

The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send that message to. No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.

All data is encrypted using the highly secure Signal messaging system developed by privacy and security legend Moxie Marlinspike, head of Open Whisper Systems.

I have discussed the security used by Signal in our review of that app, so suffice to say that it is generally regarded as the most secure messaging app currently available (although its reliance on the  Google Play Services framework concerns some).

WhatsApp has released a white paper, which provides a detailed overview of the encryption it uses.

Of crucial importance is that WhatsApp is used by over 1 billion people. With a userbase this large, WhatsApp’s move presents a major headache for security services who are (allegedly) worried about “going dark”. It is also almost certainly no coincidence that it was announced just after the FBI’s controversial demands for Apple to help decrypt a San Bernardino shooter’s iPhone were dropped.

In general, then, WhatsApp’s announcement should be viewed as great news for privacy advocates. However…

The bad

WhatsApp is closed source

Despite being based on the Signal protocol (which is open source), WhatsApp is very much closed source software. This means that we simply have to trust it and Facebook’s claims that messages cannot be read by them (i.e. that they have not modified the original Signal source code so that they do in fact hold the crypto-keys).

And of course, when it comes to privacy, we all trust Facebook… don’t we?

This is a situation made worse by WhatsApp’s app permissions, which give Facebook direct access to your phone book and contact details, photos, GPS location data, network information, and more.

On the plus side (and for what its worth), however, WhatsApp’s implementation of the Signal protocol has been personally endorsed by Moxie Marlinspike…

Moxie Marlinspike

Metadata is retained

According to fine print buried deep within its Terms of Service,

WhatsApp may retain date and time stamp information associated with successfully delivered messages and the mobile phone numbers involved in the messages, as well as any other information which WhatsApp is legally compelled to collect.

In other words, it collects and retains a great deal of metadata. This makes a lot of sense, as Facebook is a social network, and knowing who speaks to who, and when, is arguably more valuable from a commercial standpoint than the knowing actual content of discussions.

After all, Facebook did not pay $22 billion for an app it could not monetize!

It should go without saying, of course, that any such metadata collected by WhatsApp for advertising purposes can (and when asked, will) be handed over to the Feds…

Updates make WhatsApp insecure

WhatsApp can update its app at any time. This allows it to modify the code, change or steal users’ crypto-keys, or perform other forms of Man-in-the-Middle (MitM) attack without users’ knowledge. Such a modified app could be downloaded to all users, or to a specific individual.

Although this is also something of a problem with Signal (and is at the root of concern over its use of the Google framework), Signal has gone some way towards addressing the issue by digitally signing its files and releasing reproducible builds of the Signal app so that users can guarantee their version has not been tampered with.

This is not the case with WhatsApp.

MitM notifications are disabled by default

In a curious move, WhatsApp has disabled the Signal framework’s built-in notifications designed to alert users’ who are subjected MitM attacks. This can be enabled using the following steps:

  1. Go to the Contacts tab -> Settings (the 3 dots to the top right) -> Account -> Security
  2. Touch slider next to “Show security notifications

WhatsApp security settings

Goode Drive backups are stored in plaintext

The Android version of WhatsApp includes the option (not turned on by default) to backup messages to Google drive. These messages are not encrypted, and are therefore an easy way to access users’ message history.

Although this feature is easy to disable (or not enable in the first place!), and does not affect iPhone users, there is always the danger that your contact does use it…

Update June 2016: iOS users can now backup their data to iCloud. I have seen the following widely reported on the internet, but cannot find an original source,

Google Drive offers them a native, seamless and safe way to back up their multimedia in the cloud, with added security thanks to encryption.”, says Brian Acton, Co-founder WhatsApp.

Given that WhatApp has no access to encrypted data stored on Drive/iCloud (so who would hold the keys?), it seems likely to me that data is in fact still stored in plaintext..! BestVPN has contacted WhatApp about this issue.


Despite some major reservations, turning on strong end-to-end encryption for over 1 billion people is a bold move, and sets Facebook up for a monumental fight with the US government.

It is also likely to cause conflict on my side of the pond, as the upcoming UK Investigatory Powers Bill (aka the “Snoopers Charter”) requires companies to remove encryption from customers’ messages when asked. It remains unclear how this will play out with end-to-end encryption that WhatsApp is unable to remove.

Given that the original Signal app by Open Whisper systems is fully open source and does not collect your metadata for advertising purposes (and which will be handed over to the authorities if requested), Signal is a much better choice  for those wanting secure messaging.

However, most of your contacts likely use WhatsApp, and are unlikely to be convinced to switch to Signal. Given this all-too-common situation, WhatsApp now provides vastly improved security for a very great number of people.

So… is WhatsApp secure? No. Is it much more secure than it was? Yes.

Your Information will never be shared with any third party.
Enter your email address to receive your Beginner's Guide to Online Security for Free
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the ebook:
Your Information will never be shared with any third party.
Enter your email address to receive your Ultimate Online Privacy Guide eBook!
You'll also receive great privacy news and exclusive software deals!
Enter your email to get the eBook:
Special VPN Deal
Exclusive Offer
Get a Special Deal - 72% OFF!
With a biannual subscription
Exclusive Offer for Visitors!
50% Off Annual Plan
Limited Time Only
Exclusive price of
Exclusive Offer
Get NordVPN for only